Live phishing tests have limited educational value. Here’s why IMMERSIVE phishing training is more SCALABLE than random employee shaming:

1. There are too many attack scenarios to simulate most of them in live tests

2. The immediate feedback is not a positive experience

3. What employees remember most is “being tricked”

4. Live tests don’t allow for context-based practice

5. Learning can’t be measured accurately

When there are many more attacker scenarios than opportunities to test employees, we’re in a losing battle. When the experience of passing or failing a phishing test doesn’t immediately reward employees for learning, they aren’t motivated to retain the knowledge.

Security awareness paradox

Photo by Minh Pham on Unsplash

Join our next 5-Day Challenge to experience something completely unique

“The challenges were so quick I was able to do them in the time it took me to sip an espresso.” – IT Security Manager

When employees are tricked, they remember the shock, but not the skills they need to avoid a real attack. When only one chance to analyze a threat is provided, any learning can’t be reinforced. When scenarios change significantly in every test, there is no consistent baseline against which we can assess learning.

There is a place for live phishing tests – in quarterly auditing. But it should not be used for foundational training and assessment.

The scalable way to teach and assess employee phishing awareness skills

Immersive, gamified training allows for many scenarios to be experienced and practised much more frequently than live phishing tests. Gamification uses extrinsic and intrinsic rewards to motivate employees and provide less friction. It also has many other benefits for motivating employees and reducing friction.

To experience a much better learning environment for phishing awareness, you can request a free trial of Click Armor’s immersive, fully gamified platform.


Scott Wright is CEO of Click Armor, the gamified simulation platform that helps businesses avoid breaches by engaging employees to improve their proficiency in making decisions for cyber security risk and corporate compliance. He has over 20 years of cyber security coaching experience and was creator of the Honey Stick Project for Smartphones as a demonstration in measuring human vulnerabilities.